zolfa
/
tendermint
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 221 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2269 Commits
183 Branches
291 MiB
Tree: d4ccc88676
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'd4ccc88676'
${ noResults }
tendermint/docs/mintnet-kubernetes.rst

253 lines
7.6 KiB
Raw Normal View History

docs: convert from md to rst
7 years ago
 
  1. Tendermint network powered by Kubernetes

  2. ========================================

  3. 

  4. .. figure:: img/t_plus_k.png

  5.    :alt: Tendermint plus Kubernetes

  6. 

  7.    Tendermint plus Kubernetes

  8. 

  9. -  `QuickStart (MacOS) <#quickstart-macos>`__

  10. -  `QuickStart (Linux) <#quickstart-linux>`__

  11. -  `Usage <#usage>`__

  12. -  `Security <#security>`__

  13. -  `Fault tolerance <#fault-tolerance>`__

  14. -  `Starting process <#starting-process>`__

  15. 

  16. This should primarily be used for testing purposes or for

  17. tightly-defined chains operated by a single stakeholder (see `the

  18. security precautions <#security>`__). If your desire is to launch an

  19. application with many stakeholders, consider using our set of Ansible

  20. scripts.

  21. 

  22. QuickStart (MacOS)

  23. ------------------

  24. 

  25. `Requirements <https://github.com/kubernetes/minikube#requirements>`__

  26. 

  27. ::

  28. 

  29.     curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/darwin/amd64/kubectl && chmod +x kubectl && sudo mv kubectl /usr/local/bin/kubectl

  30.     curl -Lo minikube https://storage.googleapis.com/minikube/releases/v0.18.0/minikube-darwin-amd64 && chmod +x minikube && sudo mv minikube /usr/local/bin/

  31.     minikube start

  32. 

  33.     git clone https://github.com/tendermint/tools.git && cd tools/mintnet-kubernetes/examples/basecoin && make create

  34. 

  35. QuickStart (Linux)

  36. ------------------

  37. 

  38. `Requirements <https://github.com/kubernetes/minikube#requirements>`__

  39. 

  40. ::

  41. 

  42.     curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl && chmod +x kubectl && sudo mv kubectl /usr/local/bin/kubectl

  43.     curl -Lo minikube https://storage.googleapis.com/minikube/releases/v0.18.0/minikube-linux-amd64 && chmod +x minikube && sudo mv minikube /usr/local/bin/

  44.     minikube start

  45. 

  46.     git clone https://github.com/tendermint/tools.git && cd tools/mintnet-kubernetes/examples/basecoin && make create

  47. 

  48. Verify everything works

  49. ~~~~~~~~~~~~~~~~~~~~~~~

  50. 

  51. **Using a shell:**

  52. 

  53. 1. wait until all the pods are ``Running``.

  54. 

  55. ``kubectl get pods -w -o wide -L tm``

  56. 

  57. 2. query the Tendermint app logs from the first pod.

  58. 

  59. ``kubectl logs -c tm -f tm-0``

  60. 

  61. 3. use `Rest API <https://tendermint.com/docs/internals/rpc>`__ to fetch

  62.    the status of the second pod's Tendermint app. Note we are using

  63.    ``kubectl exec`` because pods are not exposed (and should not be) to

  64.    the outer network.

  65. 

  66. ``kubectl exec -c tm tm-0 -- curl -s http://tm-1.basecoin:46657/status | json_pp``

  67. 

  68. **Using the dashboard:**

  69. 

  70. ::

  71. 

  72.     minikube dashboard

  73. 

  74. Clean up

  75. ~~~~~~~~

  76. 

  77. ::

  78. 

  79.     make destroy

  80. 

  81. Usage

  82. -----

  83. 

  84. (1/4) Setup a Kubernetes cluster

  85. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  86. 

  87. -  locally using `Minikube <https://github.com/kubernetes/minikube>`__

  88. -  on GCE with a single click in the web UI

  89. -  on AWS using `Kubernetes

  90.    Operations <https://github.com/kubernetes/kops/blob/master/docs/aws.md>`__

  91. -  on Linux machines (Digital Ocean) using

  92.    `kubeadm <https://kubernetes.io/docs/getting-started-guides/kubeadm/>`__

  93. -  on AWS, Azure, GCE or bare metal using `Kargo

  94.    (Ansible) <https://kubernetes.io/docs/getting-started-guides/kargo/>`__

  95. 

  96. Please refer to `the official

  97. documentation <https://kubernetes.io/docs/getting-started-guides/>`__

  98. for overview and comparison of different options. See our guides for

  99. `Google Cloud Engine <docs/SETUP_K8S_ON_GCE.md>`__ or `Digital

  100. Ocean <docs/SETUP_K8S_ON_DO.md>`__.

  101. 

  102. **Make sure you have Kubernetes >= 1.5, because you will be using

  103. StatefulSets, which is a beta feature in 1.5.**

  104. 

  105. (2/4) Create a configuration file

  106. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  107. 

  108. Download a template:

  109. 

  110. ::

  111. 

  112.     curl -Lo app.yaml https://github.com/tendermint/tools/raw/master/mintnet-kubernetes/app.template.yaml

  113. 

  114. Open ``app.yaml`` in your favorite editor and configure your app

  115. container (navigate to ``- name: app``). Kubernetes DSL (Domain Specific

  116. Language) is very simple, so it should be easy. You will need to set

  117. Docker image, command and/or run arguments. Replace variables prefixed

  118. with ``YOUR_APP`` with corresponding values. Set genesis time to now and

  119. preferable chain ID in ConfigMap.

  120. 

  121. Please note if you are changing ``replicas`` number, do not forget to

  122. update ``validators`` set in ConfigMap. You will be able to scale the

  123. cluster up or down later, but new pods (nodes) won't become validators

  124. automatically.

  125. 

  126. (3/4) Deploy your application

  127. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  128. 

  129. ::

  130. 

  131.     kubectl create -f ./app.yaml

  132. 

  133. (4/4) Observe your cluster

  134. ~~~~~~~~~~~~~~~~~~~~~~~~~~

  135. 

  136. **web UI** <-> https://github.com/kubernetes/dashboard

  137. 

  138. The easiest way to access Dashboard is to use kubectl. Run the following

  139. command in your desktop environment:

  140. 

  141. ::

  142. 

  143.     kubectl proxy

  144. 

  145. kubectl will handle authentication with apiserver and make Dashboard

  146. available at http://localhost:8001/ui

  147. 

  148. **shell**

  149. 

  150. List all the pods:

  151. 

  152. ::

  153. 

  154.     kubectl get pods -o wide -L tm

  155. 

  156. StatefulSet details:

  157. 

  158. ::

  159. 

  160.     kubectl describe statefulsets tm

  161. 

  162. First pod details:

  163. 

  164. ::

  165. 

  166.     kubectl describe pod tm-0

  167. 

  168. Tendermint app logs from the first pod:

  169. 

  170. ::

  171. 

  172.     kubectl logs tm-0 -c tm -f

  173. 

  174. App logs from the first pod:

  175. 

  176. ::

  177. 

  178.     kubectl logs tm-0 -c app -f

  179. 

  180. Status of the second pod's Tendermint app:

  181. 

  182. ::

  183. 

  184.     kubectl exec -c tm tm-0 -- curl -s http://tm-1.<YOUR_APP_NAME>:46657/status | json_pp

  185. 

  186. Security

  187. --------

  188. 

  189. Due to the nature of Kubernetes, where you typically have a single

  190. master, the master could be a SPOF (Single Point Of Failure). Therefore,

  191. you need to make sure only authorized people can access it. And these

  192. people themselves had taken basic measures in order not to get hacked.

  193. 

  194. These are the best practices:

  195. 

  196. -  all access to the master is over TLS

  197. -  access to the API Server is X.509 certificate or token based

  198. -  etcd is not exposed directly to the cluster

  199. -  ensure that images are free of vulnerabilities

  200.    (`1 <https://github.com/coreos/clair>`__)

  201. -  ensure that only authorized images are used in your environment

  202. -  disable direct access to Kubernetes nodes (no SSH)

  203. -  define resource quota

  204. 

  205. Resources:

  206. 

  207. -  https://kubernetes.io/docs/admin/accessing-the-api/

  208. -  http://blog.kubernetes.io/2016/08/security-best-practices-kubernetes-deployment.html

  209. -  https://blog.openshift.com/securing-kubernetes/

  210. 

  211. Fault tolerance

  212. ---------------

  213. 

  214. Having a single master (API server) is a bad thing also because if

  215. something happens to it, you risk being left without an access to the

  216. application.

  217. 

  218. To avoid that you can `run Kubernetes in multiple

  219. zones <https://kubernetes.io/docs/admin/multiple-zones/>`__, each zone

  220. running an `API

  221. server <https://kubernetes.io/docs/admin/high-availability/>`__ and load

  222. balance requests between them. Do not forget to make sure only one

  223. instance of scheduler and controller-manager are running at once.

  224. 

  225. Running in multiple zones is a lightweight version of a broader `Cluster

  226. Federation feature <https://kubernetes.io/docs/admin/federation/>`__.

  227. Federated deployments could span across multiple regions (not zones). We

  228. haven't tried this feature yet, so any feedback is highly appreciated!

  229. Especially, related to additional latency and cost of exchanging data

  230. between the regions.

  231. 

  232. Resources:

  233. 

  234. -  https://kubernetes.io/docs/admin/high-availability/

  235. 

  236. Starting process

  237. ----------------

  238. 

  239. .. figure:: img/statefulset.png

  240.    :alt: StatefulSet

  241. 

  242.    StatefulSet

  243. 

  244. Init containers (``tm-gen-validator``) are run before all other

  245. containers, creating public-private key pair for each pod. Every ``tm``

  246. container then asks other pods for their public keys, which are served

  247. with nginx (``pub-key`` container). When ``tm`` container have all the

  248. keys, it forms a genesis file and starts Tendermint process.

  249. 

  250. TODO

  251. ----

  252. 

  253. -  [ ] run tendermint from tmuser ``securityContext: fsGroup: 999``